This is the accessible text file for GAO report number GAO-04-1099T
entitled 'Social Security Numbers: Use Is Widespread and Protections
Vary in Private and Public Sectors' which was released on September 28,
2004.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Testimony:
Before the Subcommittee on Commerce, Trade and Consumer Protection:
House of Representatives:
United States General Accounting Office:
GAO:
For Release on Delivery Expected at 2:00 p.m. EDT:
Tuesday, September 28, 2004:
SOCIAL SECURITY NUMBERS:
Use Is Widespread and Protections Vary in Private and Public Sectors:
Statement of Barbara D. Bovbjerg:
Director Education, Workforce, and Income Security Issues:
GAO-04-1099T:
GAO Highlights:
Highlights of GAO-04-1099T, a testimony to Subcommittee on Commerce,
Trade and Consumer Protection, House of Representatives:
Why GAO Did This Study:
In 1936, the Social Security Administration (SSA) established the
Social Security number (SSN) to track workers’ earnings for social
security benefit purposes. Today, private and public sector entities
frequently ask individuals for SSNs in order to conduct their
businesses and sometimes to comply with federal laws. Although uses of
SSNs can be beneficial to the public, SSNs are also a key piece of
information in creating false identities either for financial misuse or
for assuming an individual’s identity. The retention of SSNs in the
public and private sectors can create opportunities for identity theft.
In addition, the aggregation of personal information, such as SSNs, in
large corporate databases, as well as the public display of SSNs in
various records accessed by the public, may provide criminals the
opportunity to easily obtain this personal information. Given the
heightened awareness of identity crimes, this testimony focuses on
describing (1) how private sector entities obtain, use, and protect
SSNs, and (2) public sector uses and protections of SSNs.
What GAO Found:
Private sector entities rely extensively on SSNs. We reported early
this year that entities such as information resellers, consumer
reporting agencies , and health care organizations routinely obtain
SSNs from their business clients and public sources, such as government
records that can be displayed to the public. These entities then use
SSNs for various purposes, such as to verify an individual’s identity
or to match existing records, and have come to rely on the SSN as an
identifier, which helps them determine a person’s identity for the
purpose of providing the services they offer. There is no single
federal law that regulates the overall use or restricts the disclosure
of SSNs by private sector entities. However, certain federal laws have
helped to place restrictions on the disclosures of personal information
private sector entities are allowed to make to their customers, and
certain states have enacted laws to restrict the private sector’s use
of SSNs.
Public sector entities also extensively use SSNs. All three levels of
government use the SSN to comply with certain federal laws and
regulations, as well as for their own purposes. These agencies rely on
the SSN to manage records, verify benefit eligibility, collect
outstanding debt, and conduct research and program evaluations. In
addition, given the open nature of certain government records, SSNs
appear in records displayed to the public such as documents that record
financial transactions or court documents. Despite the widespread
reliance on and use of SSNs, government agencies are taking steps to
safeguard the SSN. For example, some agencies are not using the SSN as
the primary identification number. In a previous report, we proposed
that Congress consider developing a unified approach to safeguarding
SSNs used in all levels of government and particularly those displayed
in public records, and we continue to believe that this approach has
merit.
The use of SSNs by both private and public sector entities is likely to
continue, but the more frequently SSNs are used, the more likely they
are to be misused given the continued rise in identity crimes. In
considering restrictions to SSN use, policy makers will have to balance
the protections that could occur from such restrictions with legitimate
business needs for the use of SSNs.
[See PDF for image]
Source: GAO: Social Security Administration:
[End of figure]
www.gao.gov/cgi-bin/getrpt?GAO-04-1099T.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Barbara Bovbjerg at
(202) 512-7215 or bovbjergb@gao.gov.
Mr. Chairman and Members of the Subcommittee:
I am pleased to be here today to discuss private and public sector
entities' use of Social Security numbers (SSNs). Although the Social
Security Administration (SSA) originally created SSNs as a means to
track workers' earnings and eligibility for Social Security benefits,
over time the SSN has come to be used for a myriad of purposes;
individuals are frequently asked to supply personal information,
including their SSNs, to both public and private sector entities. In
addition, individuals' SSNs can be found in a number of public sources
such as records displayed to the public. Given the uniqueness and broad
applicability of the SSN, many private and public sector entities rely
extensively on the SSN sometimes as a way to accumulate and identify
information for their databases, sometimes to comply with federal
regulations, and other times for various business purposes. The
potential for misuse of the SSN has raised questions about how private
and public sector entities obtain, use, and protect SSNs.
Although Congress has passed a number of laws to protect the security
of personal information, the continued use of and reliance on SSNs by
both private and public sector entities underscores the importance of
determining if appropriate safeguards are in place to protect
individuals' private information or if enhanced protection of
individuals' personal information is needed. Accordingly, you asked us
to talk about how certain types of private and public sector entities
obtain SSNs and what protections, if any, exist to govern their use. My
remarks today will focus on describing (1) how private sector entities
obtain, use, and protect SSNs and (2) public sector uses and
protections.
To determine how private sector entities obtain, use, and protect SSNs,
we relied on our previous work that looked at how private sector
entities obtain and use SSNs and the laws that limit disclosure of this
use.[Footnote 1] To determine how the public sector uses and protects
SSNs, we also relied on our previous work that looked at the
government's use and protection of SSNs.[Footnote 2] In addition, we
are conducting structured interviews of federal agencies concerning the
display of SSNs.
In summary, entities such as information resellers, consumer reporting
agencies (CRAs), and health care organizations routinely obtain SSNs
from their business clients and from public sources, such as marriage
licenses, paternity determinations, and professional licenses.
Businesses use SSNs for various purposes, such as to build databases,
verify individuals' identities, or match existing records.[Footnote 3]
Given the various types of services these companies offer, we found
that all of these entities have come to rely on the SSN as an
identifier, which they say helps them determine a person's identity for
the purpose of providing the services they offer. However, certain
federal laws have helped to limit the disclosures of personal
information these private sector entities are allowed to make to their
customers. Private sector entities are either subject to the laws
directly, given the nature of their business, or indirectly, through
their business clients who are subject to these laws. Some states have
also enacted laws to restrict the private sector's use of SSNs.
However, such restrictions vary by state.
Public sector entities also rely extensively on SSNs. These agencies
often obtain SSNs for compliance with federal laws and regulations and
for their own agencies' purposes. We found that federal, state, and
county government agencies rely extensively on the SSN to manage
records, verify benefit eligibility, collect outstanding debt, conduct
research and program evaluations, and verify information provided to
state drivers' licensing agencies.[Footnote 4] Given that SSNs are
often the identifier of choice among individuals seeking to create
false identities, these agencies are taking steps to safeguard SSNs.
Yet despite these actions, SSNs appear in records displayed to the
public such as documents that record financial transactions or court
documents. In a previous report, we proposed that Congress consider
developing a unified approach to safeguarding SSNs used in all levels
of government and particularly those displayed in public records, and
we continue to believe that this approach has merit.[Footnote 5]
Background:
The Social Security Act of 1935 authorized SSA to establish a record-
keeping system to help manage the Social Security program, and this
resulted in the creation of the SSN. Through a process known as
enumeration, unique numbers are created for every person as a work and
retirement benefit record for the Social Security program. SSA
generally issues SSNs to most U.S. citizens, and SSNs are also
available to noncitizens lawfully admitted to the United States with
permission to work. SSA estimates that approximately 277 million
individuals currently have SSNs. The SSN has become the identifier of
choice for government agencies and private businesses, and thus it is
used for a myriad of non-Social Security purposes.
The growth in the use of SSNs is important to individual SSN holders
because these numbers, along with names and birth certificates, are
among the three personal identifiers most often sought by identity
thieves.[Footnote 6] In addition, SSNs are used as breeder information
to create additional false identification documents, such as drivers'
licenses. Recent statistics collected by federal agencies and CRAs
indicate that the incidence of identity theft appears to be
growing.[Footnote 7] The Federal Trade Commission (FTC), the agency
responsible for tracking identity theft, reported that consumer fraud
and identity theft complaints grew from 404,000 in 2002 to 516,740 in
2003. In 2003, consumers also reported losses from fraud of more than
$437 million, up from $343 million in 2002. In addition, identity
crimes account for over 80 percent of SSN misuse allegations according
to the SSA. Also, officials from two of the three national CRAs report
an increase in the number of 7-year fraud alerts placed on consumer
credit files, which they consider to be reliable indicators of the
incidence of identity theft.[Footnote 8] Law enforcement entities
report that identity theft is almost always a component of other
crimes, such as bank fraud or credit card fraud, and may be prosecuted
under the statutes covering those crimes.
Private Sector Entities Routinely Obtain and Use SSNs, and Certain Laws
Affect The Disclosure of This Information:
Private sector entities such as information resellers, CRAs, and health
care organizations routinely obtain and use SSNs.[Footnote 9] Such
entities obtain the SSNs from various public sources and their business
clients wishing to use their services. We found that these entities
usually use SSNs for various purposes, such as to build tools that
verify an individual's identity or match existing records. Certain
federal laws have limited the disclosures private sector entities are
allowed to make to their customers, and some states have also enacted
laws to restrict the private sector's use of SSNs.
Private Sector Entities Obtain SSNs from Public and Private Sources and
Use SSNs for Various Purposes:
Private sector entities such as information resellers, CRAs, and health
care organizations generally obtain SSNs from various public and
private sources and use SSNs to help identify individuals. Of the
various public sources available, large information resellers told us
they obtain SSNs from various records displayed to the public such as
records of bankruptcies, tax liens, civil judgments, criminal
histories, deaths, real estate ownership, driving histories, voter
registrations, and professional licenses. Large information resellers
said that they try to obtain SSNs from public sources where possible,
and to the extent public record information is provided on the
Internet, they are likely to obtain it from such sources. Some of these
officials also told us that they have people that go to courthouses or
other repositories to obtain hard copies of public records.
Additionally, they obtain batch files of electronic copies of all
public records from some jurisdictions.
Given the varied nature of SSN data found in public records, some
reseller officials said they are more likely to rely on receiving SSNs
from their business clients than they are from obtaining SSNs from
public records. These entities obtain SSNs from their business clients,
who provide SSNs in order to obtain a reseller's services or products,
such as background checks, employee screening, determining criminal
histories, or searching for individuals. Large information resellers
also obtain SSN information from private sources. In many cases such
information was obtained through review of data where a customer has
voluntarily supplied information resellers with information about
himself or herself. In addition, large reseller officials said they
also use their clients' records in instances where the client has
provided them with information.
We also found that Internet-based resellers rely extensively on public
sources and records displayed to the public. These resellers listed on
their Web sites public information sources, such as newspapers, and
various kinds of public record sources at the county, state, and
national levels. During our investigation, we determined that once
Internet-based resellers obtained an individual's SSN they relied on
information in public records to help verify the individual's identity
and amass information around the individual's SSN.
Like information resellers, CRAs also obtain SSNs from public and
private sources as well as from their customers or the businesses that
furnish data to them. CRA officials said that they obtain SSNs from
public sources, such as bankruptcy records, a fact that is especially
important in terms of determining that the correct individual has
declared bankruptcy. CRA officials also told us that they obtain SSNs
from other information resellers, especially those that specialize in
obtaining information from public records. However, SSNs are more
likely to be obtained from businesses that subscribe to their services,
such as banks, insurance companies, mortgage companies, debt collection
agencies, child support enforcement agencies, credit grantors, and
employment screening companies. Individuals provide these businesses
with their SSNs for reasons such as applying for credit, and these
businesses voluntarily report consumers' charge and payment
transactions, accompanied by SSNs, to CRAs.
We found that health care organizations were less likely to rely on
public sources for SSN data. Health care organizations obtain SSNs from
individuals themselves and from companies that offer health care plans.
For example, subscribers or policyholders provide health care plans
with their SSNs through their company or employer group when they
enroll in health care plans. In addition to health care plans, health
care organizations include health care providers, such as hospitals.
Such entities often collect SSNs as part of the process of obtaining
information on insured people. However, health care officials said
that, particularly with hospitals, the medical record number rather
than the SSN is the primary identifier.
Information resellers, CRAs, and health care organization officials all
said that they use SSNs to verify an individual's identity. Most of the
officials we spoke to said that the SSN is the single most important
identifier available, mainly because it is truly unique to an
individual, unlike an individual's name and address, which can often
change over an individual's lifetime. Large information resellers said
that they generally use the SSN as an identity verification tool. Some
of these entities have incorporated SSNs into their information
technology, while others have incorporated SSNs into their clients'
databases used for identity verification. For example, one large
information reseller that specializes in information technology
solutions has developed a customer verification data model that aids
financial institutions in their compliance with some federal laws
regarding "knowing your customer." We also found that Internet-based
information resellers use the SSN as a factor in determining an
individual's identity. We found these types of resellers to be more
dependent on SSNs than the large information resellers, primarily
because their focus is more related to providing investigative or
background-type services to anyone willing to pay a fee. Most of the
large information resellers officials we spoke to said that although
they obtain the SSN from their business clients, the information they
provide back to their customers rarely contains the SSN. Almost all of
the officials we spoke to said that they provide their clients with a
truncated SSN, an example of which would be xxx-xx-6789.
CRAs use SSNs as the primary identifier of individuals, which enables
them to match the information they receive from their business clients
with the information stored in their databases on individuals.[Footnote
10] Because these companies have various commercial, financial, and
government agencies furnishing data to them, the SSN is the primary
factor that ensures that incoming data is matched correctly with an
individual's information on file. For example, CRA officials said they
use several factors to match incoming data with existing data, such as
name, address, and financial account information. If all of the
incoming data, except the SSN, match with existing data, then the SSN
will determine the correct person's credit file. Given that people
move, get married, and open new financial accounts, these officials
said that it is hard to distinguish among individuals. Because the SSN
is the one piece of information that remains constant, they said that
it is the primary identifier that they use to match data.
Health care organizations also use the SSN to help verify the identity
of individuals. These organizations use SSNs, along with other
information, such as name, address, and date of birth, as a factor in
determining a member's identity. Health care officials said that health
care plans, in particular, use the SSN as the primary identifier of an
individual, and it often becomes the customer's insurance number.
Health care officials said that they use SSNs for identification
purposes, such as linking an individual's name to an SSN to determine
if premium payments have been made. They also use the SSN as an online
services identifier, as an alternative policy identifier, and for
phone-in identity verification. Health care organizations also use SSNs
to tie family members together where family coverage is used,[Footnote
11] to coordinate member benefits, and as a cross-check for pharmacy
transactions. Health care industry association officials also said that
SSNs are used for claims processing, especially with regard to
Medicare. According to these officials, under some Medicare programs,
SSNs are how Medicare identifies benefits provided to an individual.
Certain Laws Limit the Private Sectors' Disclosure of Personal
Information That Includes SSNs:
Certain federal and state laws have placed restrictions on certain
private sector entities use and disclosure of consumers' personal
information that includes SSNs. Such laws include the Fair Credit
Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Drivers
Privacy Protection Act (DPPA), and the Health Insurance Portability and
Accountability Act (HIPAA). As shown in table 1, the laws either
restrict the disclosures that entities such as information resellers,
CRAs, and health care organizations are allowed to make to specific
purposes or restrict whom they are allowed to give the information to.
Moreover, as shown in table 1, these laws focus on limiting or
restricting access to certain personal information and are not
specifically focused on information resellers. See appendix I for more
information on these laws.
Table 1: Aspects of Federal Laws That Affect Private Sector Disclosure
of Personal Information:
Federal Laws: Fair Credit Reporting Act; Restrictions: Limits access to
credit data that includes SSNs to those who have a permissible purpose
under the law.
Federal Laws: Gramm-Leach-Bliley Act;
Restrictions: Creates a new definition of personal information that
includes SSNs and limits when financial institutions may disclose the
information to non-affiliated third parties.
Federal Laws: Drivers Privacy Protection Act;
Restrictions: Prohibits obtaining and disclosing SSNs and other
personal information from a motor vehicle record except as expressly
permitted under the law.
Federal Laws: Health Insurance Portability and Accountability Act;
Restrictions: Protects the privacy of health information that
identifies an individual (including by SSNs) and restricts health care
organizations from disclosing such information to others without the
patient's consent.
Source: GAO analysis.
[End of table]
We reviewed selected legislative documents of 18 states and found that
at least 6 states have enacted their own legislation to restrict either
the display or use of SSNs by the private sector.[Footnote 12] Notably,
in 2001, California enacted Senate Bill (SB) 168, restricting private
sector use of SSNs. Specifically, this law generally prohibits
companies and persons from certain uses such as, posting or publicly
displaying SSNs and printing SSNs on cards required to access the
company's products or services. Furthermore, in 2002, shortly after the
enactment of SB 168, California's Office of Privacy Protection
published recommended practices for protecting the confidentiality of
SSNs. These practices were to serve as guidelines to assist private and
public sector organizations in handling SSNs.
Similar to California's law, Missouri's law (2003 Mo. SB 61), which is
not effective until July 1, 2006, bars companies from requiring
individuals to transmit SSNs over the Internet without certain safety
measures, such as encryption and passwords. However, while SB 61
prohibits a person or private entity from publicly posting or
displaying an individual's SSN "in any manner," unlike California's
law, it does not specifically prohibit printing the SSN on cards
required to gain access to products or services. In addition, Arizona's
law (2003 Ariz. Sess. Laws 137), effective January 1, 2005, restricts
the use of SSNs in ways very similar to California's law. However, in
addition to the private sector restrictions, it adds certain
restrictions for state agencies and political subdivisions.[Footnote
13] For example, state agencies and political subdivisions are
prohibited from printing an individual's SSN on cards and certain
mailings to the individual. Last, Texas prohibits the display of SSNs
on all cards, while Georgia and Utah's laws are directed at health
insurers and, therefore, pertain primarily to insurance identification
cards.[Footnote 14] None of these three laws contain the provisions
mentioned above relating to Internet safety measures and mailing
restrictions. Table 2 lists states that have enacted legislation and
related provisions.
Table 2: Provisions Included in Enacted Legislation Reviewed:
Provision: Specifically prohibits display on cards;
States Where Provision or Restriction Enacted: AZ, CA, GA, TX, UT.
Provision: Requires Internet safety measures;
States Where Provision or Restriction Enacted: AZ, CA, MO.
Provision: Restricts mailing of SSNs;
States Where Provision or Restriction Enacted: AZ, CA.
Source: GAO analysis.
[End of table]
Public Sector Entities Also Use SSNs and Some Agencies Limit Their Use
and Display:
Agencies at all levels of government frequently obtain and use SSNs. A
number of federal laws require government agencies to obtain SSNs, and
these agencies use SSNs to administer their programs, verify
applicants' eligibility for services and benefits, and do research and
evaluation. In addition, given the open nature of certain government
records, SSNs appear in some records displayed to the public. Given the
potential for misuse, some government agencies are taking steps to
limit their use and display of SSNs and prevent the proliferation of
false identities.
Public Sector Entities Are Required by Laws and Regulations to Obtain
SSNs and Use SSNs for Various Purposes:
Government agencies obtain SSNs because a number of federal laws and
regulations require certain programs and federally funded activities to
use the SSN for administrative purposes.[Footnote 15] Such laws and
regulations require the use of the SSN as an individual's identifier to
facilitate automated exchanges that help administrators enforce
compliance with federal laws, determine eligibility for benefits, or
both. For example, the Internal Revenue Code and regulations, which
govern the administration of the federal personal income tax program,
require that individuals' SSNs serve as taxpayer identification
numbers.[Footnote 16] A number of other federal laws require program
administrators to use SSNs in determining applicants' eligibility for
federally funded benefits. The Social Security Act requires individuals
to provide their SSNs in order to receive benefits under the SSI, Food
Stamp, Temporary Assistance for Needy Families, and Medicaid
programs.[Footnote 17] In addition, the Commercial Motor Vehicle Safety
Act of 1986 requires the use of SSNs to identify individuals and
established the Commercial Driver's License Information System, a
nationwide database where states may use individuals' SSNs to search
the database for other state-issued licenses commercial drivers may
hold.[Footnote 18] Federal law also requires the use of SSNs in state
child support programs to help states locate noncustodial parents,
establish and enforce support orders, and recoup state welfare payments
from parents.[Footnote 19] The law also requires states to record SSNs
on many other state documents, such as professional, occupational, and
marriage licenses; divorce decrees; paternity determinations; and death
certificates.
Government agencies use SSNs for a variety of reasons. We found that
most of these agencies use SSNs to administer their programs, such as
to identify, retrieve, and update their records. In addition, many
agencies also use SSNs to share information with other entities to
bolster the integrity of the programs they administer. As unique
identifiers, SSNs help ensure that the agency is obtaining or matching
information on the correct person.
Government agencies also share information containing SSNs for the
purpose of verifying an applicant's eligibility for services or
benefits, such as matching records with state and local correctional
facilities to identify individuals for whom the agency should terminate
benefit payments. SSNs are also used to ensure program integrity.
Agencies use SSNs to collect delinquent debts and even share
information for this purpose. In addition, SSNs are used for
statistics, research, and evaluation. Agencies responsible for
collecting and maintaining data for statistical programs that are
required by statute, make use of SSNs. In some cases, these data are
compiled using information provided for another purpose. For example,
the Bureau of the Census prepares annual population estimates for
states and counties using individual income tax return data linked over
time by SSN to determine immigration rates between localities.[Footnote
20] SSNs also provide government agencies and others with an effective
mechanism for linking data on program participation with data from
other sources to help evaluate the outcomes or effectiveness of
government programs. In some cases, records containing SSNs are
sometimes matched across multiple agency or program databases.[Footnote
21]
Government agencies also use employees' SSNs to fulfill some of their
responsibilities as employers. For example, personnel departments of
these agencies use SSNs to help them maintain internal records and
provide employee benefits. In addition, employers are required by law
to use employees' SSNs when reporting wages. Wages are reported to SSA,
and the agency uses this information to update earnings records it
maintains for each individual. The Internal Revenue Service (IRS) also
uses SSNs to match the employer wage reports with amounts individuals
report on personal income tax returns. Federal law also requires that
states maintain employers' reports of newly hired employees, identified
by SSNs. States must forward this information to a national database
that is used by state child support agencies to locate parents who are
delinquent in child support payments.
Finally, SSNs appear in some government records that are open to the
public. For example, SSNs may already be a part of a document that is
submitted to a recorder for official preservation, such as veterans'
discharge papers. Documents that record financial transactions, such as
tax liens and property settlements, also contain SSNs to help identify
the correct individual. Government officials are also required by law
to collect SSNs in numerous instances, and some state laws allow
government entities to collect SSNs on voter registries to help avoid
duplicate registrations. In addition, courts at all three levels of
government also collect and maintain records that are routinely made
available to the public. SSNs appear in court documents for a variety
of reasons such as on documents that government officials create like
criminal summonses, and in many cases, SSNs are already a part of
documents that are submitted by attorneys or individuals as part of the
evidence for a proceeding or a petition for an action. In some cases,
federal law requires that SSNs be placed in certain records that courts
maintain, such as child support orders.
Government Agencies Are Taking Steps to Limit the Use and Display of
SSNs:
Despite the widespread use of SSNs at all levels of government, not all
agencies use SSNs. We found that some agencies do not obtain, receive,
or use SSNs of program participants, service recipients, or individual
members of the public.[Footnote 22] Moreover, not all agencies use the
SSN as their primary identification number for record-keeping purposes.
These agencies maintain an alternative number that is used in addition
to or in lieu of SSNs for certain activities.
Some agencies are also taking steps to limit SSNs displayed on
documents that may be viewed by others who may not have a need to view
this personal information. For example, the Social Security
Administration has truncated individuals' SSNs that appear on the
approximately 120 million benefits statements it mails each year. Some
states have also passed laws prohibiting the use of SSNs as a student
identification number. Almost all states have modified their policies
on placing SSNs on state drivers' licenses.
At the federal level, SSA has taken steps in its enumeration process
and verification service to help prevent SSNs from being used to
proliferate false identities. SSA has formed a task force to address
weaknesses in its enumeration process and has (1) increased document
verifications and developed new initiatives to prevent the
inappropriate assignment of SSNs to noncitizens, and (2) undertaken
initiatives to shift the burden of processing noncitizen applications
from its field offices.[Footnote 23] SSA also helps prevent the
proliferation of false identities through its verification service,
which allows state driver licensing agencies to verify the SSN, name,
and date of birth of customers with SSA's master file of Social
Security records. Finally, SSA has also acted to correct deficiencies
in its information systems' internal controls. These changes were made
in response to the findings of an independent audit that found that
SSA's systems were exposed to both internal and external intrusion,
increasing the possibility that sensitive information such as SSNs
could be subject to unauthorized access, modification, and disclosure,
as well as the risk of fraud.
With regard to the courts, in a prior report we suggested that Congress
consider addressing SSN security and display issues in state and local
government and in public records, including those maintained by the
judicial branch of government at all levels.[Footnote 24] We proposed
that Congress convene a representative group of officials from all
levels of government to develop a unified approach to safeguard SSNs
used in all levels of government and particularly those displayed in
public records.
Conclusions:
Public and private entities use SSNs for many legitimate and publicly
beneficial purposes. However, the more frequently SSNs are obtained and
used, the more likely they are to be misused. Individuals may
voluntarily provide their SSNs to the private and public sectors to
obtain services, but they should be able to be confident that their
personal information is safe and secure. As we continue to learn more
about the entities that obtain SSNs and the purposes for which they
obtain them, policy makers will be able to determine if there are ways
to limit access to this valuable piece of information and prevent it
from being misused. However, restrictions on access or use may make it
more difficult for businesses and government agencies to verify an
individual's identity. Accordingly, policy makers will have to balance
the potential benefits of restrictions on the use of SSNs on the one
hand with the impact on legitimate needs for the use of SSNs on the
other.
We are continuing our work on protecting the privacy of SSNs in the
private and public sectors, and we are pleased that this Subcommittee
is considering this important policy issue. That concludes my
testimony, and I would be pleased to respond to any questions the
subcommittee has.
Contacts and Acknowledgments:
For further information regarding this testimony, please contact
Barbara D. Bovbjerg, Director or Tamara Cross, Assistant Director at
(202) 512-7215.
[End of section]
Appendix I: Federal Laws Affecting Information Resellers, CRAs, and
Health Care Organizations:
Gramm-Leach-Bliley Act (GLBA):
GLBA requires companies to give consumers privacy notices that explain
the institutions' information-sharing practices. In turn, consumers
have the right to limit some, but not all, sharing of their nonpublic
personal information. Financial institutions are permitted to disclose
consumers' nonpublic personal information without offering them an opt-
out right in the following circumstances:
* to effect a transaction requested by the consumer in connection with
a financial product or service requested by the consumer; maintaining
or servicing the consumer's account with the financial institution or
another entity as part of a private label credit card program or other
extension of credit; or a proposed or actual securitization, secondary
market sale, or similar transaction;
* with the consent or at the direction of the consumer;
* to protect the confidentiality or security of the consumer's records;
to prevent actual or potential fraud, for required institutional risk
control or for resolving customer disputes or inquiries, to persons
holding a legal or beneficial interest relating to the consumer, or to
the consumer's fiduciary;
* to provide information to insurance rate advisory organizations,
guaranty funds or agencies, rating agencies, industry standards
agencies, and the institution's attorneys, accountants, and auditors;
* to the extent specifically permitted or required under other
provisions of law and in accordance with the Right to Financial Privacy
Act of 1978, to law enforcement agencies, self-regulatory
organizations, or for an investigation on a matter related to public
safety;
* to a consumer reporting agency in accordance with the Fair Credit
Reporting Act or from a consumer report reported by a consumer
reporting agency;
* in connection with a proposed or actual sale, merger, transfer, or
exchange of all or a portion of a business if the disclosure concerns
solely consumers of such business;
* to comply with federal, state, or local laws; an investigation or
subpoena; or to respond to judicial process or government regulatory
authorities.
Financial institutions are required by GLBA to disclose to consumers at
the initiation of a customer relationship, and annually thereafter,
their privacy policies, including their policies with respect to
sharing information with affiliates and non-affiliated third parties.
Provisions under GLBA place limitations on financial institutions
disclosure of customer data, thus affecting some CRAs and information
resellers. We found that some CRAs consider themselves to be financial
institutions under GLBA.[Footnote 25] These entities are therefore
directly governed by GLBA's restrictions on disclosing nonpublic
personal information to non-affiliated third parties. We also found
that some of the information resellers we spoke to did not consider
their companies to be financial institutions under GLBA. However,
because they have financial institutions as their business clients,
they complied with GLBA's provisions in order to better serve their
clients and ensure that their clients are in accordance with GLBA. For
example, if information resellers received information from financial
institutions, they could resell the information only to the extent that
they were consistent with the privacy policy of the originating
financial institution.
Information resellers and CRAs also said that they protect the use of
non-public personal information and do not provide such information to
individuals or unauthorized third parties. In addition to imposing
obligations with respect to the disclosures of personal information,
GLBA also requires federal agencies responsible for financial
institutions to adopt appropriate standards for financial institutions
relating to safeguarding customer records and information. Information
resellers and CRA officials said that they adhere to GLBA's standards
in order to secure financial institutions' information.
Drivers Privacy Protection Act (DPPA):
The DPPA specifies a list of exceptions when personal information
contained in a state motor vehicle record may be obtained and used (18
U.S.C. § 2721(b)). These permissible uses include:
* for use by any government agency in carrying out its functions;
* for use in connection with matters of motor vehicle or driver safety
and theft; motor vehicle emissions; motor vehicle product alterations,
recalls, or advisories; motor vehicle market research activities,
including survey research;
* for use in the normal course of business by a legitimate business,
but only to verify the accuracy of personal information submitted by
the individual to the business and, if such information is not correct,
to obtain the correct information but only for purposes of preventing
fraud by pursuing legal remedies against, or recovering on a debt or
security interest against, the individual;
* for use in connection with any civil, criminal, administrative, or
arbitral proceeding in any federal, state, or local court or agency;
* for use in research activities;
* for use by any insurer or insurance support organization in
connection with claims investigation activities;
* for use in providing notice to the owners of towed or impounded
vehicles;
* for use by a private investigative agency for any purpose permitted
under the DPPA;
* for use by an employer or its agent or insurer to obtain information
relating to the holder of a commercial driver's license;
* for use in connection with the operation of private toll
transportation facilities;
* for any other use, if the state has obtained the express consent of
the person to whom a request for personal information pertains;
* for bulk distribution of surveys, marketing, or solicitations, if the
state has obtained the express consent of the person to whom such
personal information pertains;
* for use by any requester, if the requester demonstrates that it has
obtained the written consent of the individual to whom the information
pertains;
* for any other use specifically authorized under a state law, if such
use is related to the operation of a motor vehicle or public safety.
As a result of DPPA, information resellers said they were restricted in
their ability to obtain SSNs and other driver license information from
state motor vehicle offices unless they were doing so for a permissible
purpose under the law. These officials also said that information
obtained from a consumer's motor vehicle record has to be in compliance
with DPPA's permissible purposes, thereby restricting their ability to
resell motor vehicle information to individuals or entities not allowed
to receive such information under the law. Furthermore, because DPPA
restricts state motor vehicle offices' ability to disclose driver
license information, which includes SSN data, information resellers
said they no longer try to obtain SSNs from state motor vehicle
offices, except for permissible purposes.
Health Insurance Portability and Accountability Act (HIPAA):
The HIPAA privacy rule also defines some rights and obligations for
both covered entities and individual patients and health plan members.
Some of the highlights are:
* Individuals must give specific authorization before health care
providers can use or disclose protected information in most nonroutine
circumstances, such as releasing information to an employer or for use
in marketing activities.
* Covered entities will need to provide individuals with written notice
of their privacy practices and patients' privacy rights. The notice
will contain information that could be useful to individuals choosing a
health plan, doctor, or other service provided. Patients will be
generally asked to sign or otherwise acknowledge receipt of the privacy
notice.
Covered entities must obtain an individual's specific authorization
before sending them marketing materials.
Health care organizations, including health care providers and health
plan insurers, are subject to HIPAA's requirements. In addition to
providing individuals with privacy practices and notices, health care
organizations are also restricted from disclosing a patient's health
information without the patient's consent, except for purposes of
treatment, payment, or other health care operations. Information
resellers and CRAs did not consider themselves to be "covered entities"
under HIPAA, although some information resellers said that their
customers are considered to be business associates under HIPAA. As a
result, they said they are obligated to operate under HIPAA's standards
for privacy protection, and therefore could not resell medical
information without having made sure HIPAA's privacy standards were
met.
Fair Credit Reporting Act (FCRA):
Congress has limited the use of consumer reports to protect consumers'
privacy. All users must have a permissible purpose under the FCRA to
obtain a consumer report (15 USC 1681b). These permissible purposes
are:
* as ordered by a court or a federal grand jury subpoena;
* as instructed by the consumer in writing;
* for the extension of credit as a result of an application from a
consumer or the review or collection of a consumer's account;
* for employment purposes, including hiring and promotion decisions,
where the consumer has given written permission;
* for the underwriting of insurance as a result of an application from
a consumer;
* when there is a legitimate business need, in connection with a
business transaction that is initiated by the consumer;
* to review a consumer's account to determine whether the consumer
continues to meet the terms of the account;
* to determine a consumer's eligibility for a license or other benefit
granted by a governmental instrumentality required by law to consider
an applicant's financial responsibility or status;
* for use by a potential investor or servicer or current insurer in a
valuation or assessment of the credit or prepayment risks associated
with an existing credit obligation; and:
* for use by state and local officials in connection with the
determination of child support payments, or modifications and
enforcement thereof.
Under FCRA, Congress has limited the use of consumer reports[Footnote
26] to protect consumers' privacy and limits access to credit data to
those who have a legally permissible purpose for using the data, such
as the extension of credit, employment purposes, or underwriting
insurance. However, these limits are not specific to SSNs. All of the
CRAs that we spoke to said that they are considered consumer reporting
agencies under FCRA. In addition, some of the information resellers we
spoke to who handle or maintain consumer reports are classified as CRAs
under FCRA. Both CRAs and information resellers said that as a result
of FCRAs restrictions they are limited to providing credit data to
their customers that have a permissible purpose under FCRA.
Consequently, they are restricted by law from providing such
information to the general public.
FOOTNOTES
[1] GAO, Social Security Numbers: Private Sector Entities Routinely
Obtain and Use SSNs, and Laws Limit the Disclosure of This Information,
GAO-04-11 (Washington D.C.: January 22, 2004).
[2] See GAO, Social Security Numbers: Government Benefits from SSN Use
but Could Provide Better Safeguards, GAO-02-352 (Washington, D.C.: May
31, 2002).
[3] GAO-04-11 (Washington D.C.: January 2004).
[4] GAO-02-352 (Washington D.C.: May 2002).
[5] GAO-02-352 (Washington D.C.: May 2002).
[6] United States Sentencing Commission, Identity Theft Final Alert
(Washington, D.C.: Dec. 15, 1999).
[7] GAO, Identity Theft: Prevalence and Cost Appear to be Growing, GAO-
02-363 (Washington, D.C.: Mar. 1, 2002).
[8] A fraud alert is a warning that someone may be using the consumer's
personal information to fraudulently obtain credit. When a fraud alert
is placed on a consumer's credit card file, it advises credit grantors
to conduct additional identity verification before granting credit. The
three consumer reporting agencies offers fraud alerts that can vary
from 2 to 7 years at the discretion of the individual.
[9] Information resellers, sometimes referred to as information
brokers, are businesses that specialize in amassing consumer
information that includes SSNs for informational services. CRAs, also
known as credit bureaus, are agencies that collect and sell information
about the creditworthiness of individuals. Health care organizations
generally deliver their services through a coordinated system that
includes health care providers and health plans, also referred to as
health care insurers.
[10] We found that CRAs and information resellers can sometimes be the
same entity, a fact that blurs the distinction between the two types of
businesses but does not affect the use of SSNs by these entities. Five
of the six large information resellers we spoke to said they were also
CRAs. Some CRA officials said that information reselling constituted as
much as 40 percent of CRAs' business.
[11] During the enrollment process, subscribers have a number of
options, one of which is decided whether they would like single or
family coverage. In cases where family coverage is chosen, the SSN is
the key piece of information generally allowing the family members to
be linked.
[12] On the basis of our interviews with private sector businesses and
organizations, contacts with some state offices of attorney general,
and identification of state laws and legislative initiatives related to
the use of SSNs, we did a legislative review of 18 states that were
identified as having laws or proposed laws governing SSN use. In the 18
states we researched, we reviewed more than 40 legislative documents,
including relevant laws, proposed laws, legislative summaries, and
other related documents, such as state regulations, executive orders,
and referendums.
[13] Political subdivisions would include counties, cities, and towns.
[14] Georgia's law (O.C.G.A. §33-24-57.1(f)) and Utah's law (Utah Code
Ann. §31-22-634) were both effective July 1, 2004. However, Utah's law
provides certain extensions until March 1, 2005. Texas' law (2003 Tex.
Gen. Laws 341) is effective March 1, 2005.
[15] GAO, Social Security Numbers: Government and Commercial Use of the
Social Security Number is Widespread, GAO/HEHS-99-28 (Washington D.C.:
February 1999).
[16] This means that employers and others making payments to
individuals must include the individuals' SSNs in reporting to IRS many
of these payments. In addition, the Code and regulations require
individuals filing personal income tax returns to include their SSNs as
their taxpayer identification number, the SSNs of people whom they
claim as dependents, and the SSNs of spouses to whom they paid alimony.
[17] Applicants give program administrators information on their income
and resources, and program administrators use applicants' SSNs to match
records with those of other organizations.
[18] States may also use SSNs to search another database, the National
Driver's Registry, to determine whether an applicant's license has been
cancelled, suspended, or revoked by another state. In these situations,
the states use SSNs to limit the possibility of inappropriately
licensing applicants.
[19] The law requires states to maintain records that include (1) SSNs
for individuals who owe or are owed support for cases in which the
state has ordered child support payments to be made, the state is
providing support, or both, and (2) employers' records of new hires
identified by SSN.
[20] The Bureau of the Census is authorized by statute to collect a
variety of information, and the Bureau is also prohibited from making
it available, except in certain circumstances.
[21] The statistical and research communities refer to the process of
matching records containing SSNs for statistical or research purposes
as "record linkage." See U.S. General Accounting Office, Record Linkage
and Privacy: Issues in Creating New Federal Research and Statistical
Information, GAO-01-126SP (Washington, D.C.: Apr. 2001).
[22] GAO-02-352 (Washington D.C.: May 2002).
[23] See GAO, Social Security Administration: Actions Taken to
Strengthen Procedures for Issuing Social Security Numbers to
Noncitizens but Some Weakness Remain, GAO-04-12 (Washington D.C.:
October 15, 2003). See GAO, Social Security Numbers: Improved SSN
Verification and Exchange of States' Driver Records Would Enhance
Identity Verification, GAO-03-920 (Washington D.C.: September 15,
2003).
[24] GAO-02-352 (Washington D.C.: May 2002)
[25] Under GLBA, the term financial institution is defined as "any
institution the business of which is engaging in financial activities
as described in section 4(k) of the Bank Holding Company Act of 1956,"
which goes into more detail about what are "activities that are
financial in nature." These generally include banking, insurance, and
investment industries.
[26] The FTC has determined that certain types of information,
including SSNs, do not constitute as consumer report under FCRA because
they are not factors in determining credit eligibility.